NAME

SYNOPSIS

DESCRIPTION

You can use this subcommand to sign outstanding certificate requests, list
and manage local certificates, and inspect the state of the CA.

OPTIONS

Note that any setting that's valid in the configuration
file is also a valid long argument, although it may or may not be
relevant to the present action. For example, server and run_mode are valid
settings, so you can specify --server <servername>, or
--run_mode <runmode> as an argument.

ACTIONS

fingerprint - Print the DIGEST (defaults to the signing algorithm) fingerprint of a host's certificate.:
SYNOPSIS

puppet ca fingerprint [--digest ALGORITHM]

DESCRIPTION

Print the DIGEST (defaults to the signing algorithm) fingerprint of a host's certificate.

OPTIONS--digest ALGORITHM -
The hash algorithm to use when displaying the fingerprint

generate - Generate a certificate for a named client.:
SYNOPSIS

puppet ca generate [--dns-alt-names NAMES]

DESCRIPTION

Generate a certificate for a named client.

OPTIONS--dns-alt-names NAMES -
A comma-separated list of alternate DNS names for Puppet Server. These are extra
hostnames (in addition to its certname) that the server is allowed to use when
serving agents. Puppet checks this setting when automatically requesting a
certificate for Puppet agent or Puppet Server, and when manually generating a
certificate with puppet cert generate.

In order to handle agent requests at a given hostname (like
"puppet.example.com"), Puppet Server needs a certificate that proves it's
allowed to use that name; if a server shows a certificate that doesn't include
its hostname, Puppet agents will refuse to trust it. If you use a single
hostname for Puppet traffic but load-balance it to multiple Puppet Servers, each
of those servers needs to include the official hostname in its list of extra
names.

Note: The list of alternate names is locked in when the server's
certificate is signed. If you need to change the list later, you can't just
change this setting; you also need to:

On the server: Stop Puppet Server.

On the CA server: Revoke and clean the server's old certificate. (puppet cert clean <NAME>)

On the server: Delete the old certificate (and any old certificate signing requests)
from the ssldir.

On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to request a new certificate

On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to retrieve the cert.

On the server: Start Puppet Server again.

To see all the alternate names your servers are using, log into your CA server
and run puppet cert list -a, then check the output for (alt names: ...).
Most agent nodes should NOT have alternate names; the only certs that should
have them are Puppet Server nodes that you want other agents to trust.